What is Phishing? How Hackers Steal your Identity

Over the past few months we have been sharing common phishing scams such as the Australia Post, AGL and ATO email scams, in the hope we can stop our followers from becoming victims of these. With this added focus on these scams we have had a number of people asking “What is Phishing?” (Thanks to those who brought this to our attention and no it has nothing to do with Fishing).

The Cost of Phishing

A cyber attack can lead to business disruption, loss of revenue and loss of productivity. While many businesses think they are to small of a target, Hackers do not only target corporations and banks, but also small businesses and organisations that simply do not have appropriate security in place.

What is Phishing & How do they do it?

Phishing is an attempt by scammers to acquire your sensitive information such as your bank account details, usernames, credit card details and passwords, for malicious reasons.

Unexpectedly, a scammer calls, sends you an email or a text message and pretends to be from a trustworthy entity such as a bank. By using leading questions they will aim to elicit information out for you now, to get information to use later. Sophisticated hackers will actually aim to get parts of your personal info, like you bank name or branch, to use later.

You receive a phonecall.

Hacker: “Hi Mr Smith, I’m from (insert Big 4 Bank here). I’m just calling as we have had some security concerns regarding your account. For security purposes, I just need you to confirm your BSB or Local Branch.”

You (assuming the branch of your bank is not important information – after all it’s not your pin!): “Yeah, sure. My local branch is Brisbane, BSB 123-456. What’s been happening with my account?”

Hacker: “Oh nothing to be concerned about, we have had some security issues on (insert Credit Card Company here) accounts. Have you noticed any suspicious activity on your (insert Credit Card Company here) account?

You: “No, nothing that I have seen. I’m protected right – if anything happens?”

Hacker: “You certainly are Mr Smith, just checking in to make sure everything is fine. Well, thanks for your time.”

At this point you have now confirmed with the hacker your local branch and that you have a particular brand of credit card. They can’t do much with your details. Yet.

You receive a phone call, a few weeks later.

Hacker: “Hi, Mr Smith, it’s (insert Branch managers name) from your local (insert Big 4 Bank here) branch in Brisbane. You may recall we had a few security issues with (insert Credit Card Company here) – for security purposes we have reissued you with new cards. So I can get them to you as soon as possible, what’s the best address?”

You: “Ah, sure, ok, 123 Brisbane Street”

Hacker: “Your home address?”

You: “Yeah”

So now, the hackers have your Full Name, Address, Bank Location, Phone number and Credit card company. With a bit of luck (on their part) they might be able to skim your birthday off the internet. (Thanks Social Media).

While this may be a crude example, it illustrates how a phishing scam doesn’t need to be scary or obvious. Further, it is actually quite subtle and the delivery of a well planned scam can be quite sophisticated.

At the same time it can be as simple as tricking you into downloading something from the internet. By including a link to a malicious website, a phishing hacker can get through your web security. The classic example is a file representing a word or PDF doc.

Prevention

Even Banks and large companies who put various measures in place to ensure IT Security can suffer from phishing scams. The biggest weakness in an IT security system is rarely the IT, it is the people using the IT. Phishing scams rely on social engineering to trick users into letting them into the system. It is for this reason, you should not trust emails from unknown or unsolicited sources.

There are so many ways to prevent identity theft online.

First, you should never open any attachment or link from an email that’s posing as your bank or as any other trustworthy entity and asking you to either verify or update your details.

Secondly, you should never provide personal information such as your online account information to an inbound caller, text message or email claiming to be from your bank or any other organization.

Thirdly, before giving them information, don’t be afraid to hang up or delete that email or text. Any inbound communication can be from anyone. However, you can always call the genuine company back with an outbound phone call or email them at their listed email. If you call the genuine company and find no outbound call has been made, then there is a chance someone has attempted to get your information through a phishing scam.

Hackers rely on making things appear normal, in order to elicit information from you. They try thousands of people, using the same tricks. More often than not they will not get anything, but all they need are a few people to hand over crucial details and they on track for a payday, at your expense.